The Amazon affiliate lite Plugin is vulnerable to stored Cross‑Site Scripting (CWE‑80). An attacker who has authenticated administrator‑or‑above privileges can insert arbitrary JavaScript into the plugin’s admin settings. When a susceptible page is loaded by any site visitor, the embedded script executes within that user’s browser context, allowing theft of session cookies, credential hijacking, or defacement of the site. The flaw arises from insufficient input sanitization and output escaping on the administrative side. This is a moderate‑severity flaw, scored 4.4 on CVSS, and is not currently listed in the CISA KEV catalog.

The vulnerability affects installations of the Amazon affiliate lite Plugin for WordPress version 1.0.0 and earlier. It only applies to multi‑site networks and to sites that have the unfiltered_html feature disabled. Administrators with full control over the network can exploit the control panel of any site within the network.

This flaw has a CVSS base score of 4.4, indicating moderate risk, and an EPSS score of less than 1 %, suggesting a very low probability of exploitation in the wild. Because the vulnerability requires authenticated administrator‑level access, it is not exploitable by unauthenticated users or standard site visitors. The lack of a KEVlisting further implies that public exploits are not widespread. Attackers would need to compromise an existing administrator account or gain access through social engineering to inject malicious code into the plugin’s settings, after which any user who views the affected page would be exposed to the embedded script. The impact is limited to user‑browser‑level attacks rather than server compromise.